The FIN6 hacking group now impersonates job seekers to cleverly target recruiters, a new twist on typical hiring-related social engineering attacks. They use very convincing resumes and sophisticated phishing sites to successfully deliver the potent ‘More Eggs’ malware to their targets. FIN6, also known as “Skeleton Spider,” initially conducted financial fraud but later expanded its operations into various ransomware attacks in 2019.
Hiding behind many different fake job seeker personas, they first approach recruiters and HR departments on LinkedIn and also on Indeed. After they have successfully built some rapport with their targets, they then follow up with professionally crafted phishing emails to them. These specific emails contain non-clickable URLs to their “resume sites” to evade detection, forcing recipients to type them manually. The domains, registered anonymously through GoDaddy, are hosted on AWS, a trusted cloud service not commonly flagged by security tools. This makes the entire setup appear more legitimate to the unsuspecting victims who are being directly targeted by these campaigns.
This recent campaign uses a malware-as-a-service JavaScript backdoor known for credential theft, system access, and also ransomware deployment.
FIN6 has also added environmental fingerprinting and various behavioral checks to ensure only their intended targets can open the landing pages. Any VPN or cloud connections and attempts from Linux or macOS systems are blocked and instead served completely innocuous website content. Qualified victims are presented with a fake CAPTCHA step before they are then prompted to download a deceptive ZIP archive file. This downloaded archive actually contains a disguised Windows shortcut file that executes a script to download the ‘More Eggs‘ modular backdoor.
This backdoor is a powerful tool created by a threat actor who is known by the name of “Venom Spider” in the cybercrime community.
This simple yet very effective attack from FIN6 relies on sophisticated social engineering and also many advanced evasion techniques to succeed. Recruiters and human resources employees should now approach all invites to review resumes and portfolios with extreme caution and skepticism. They should be especially wary if they are requested to visit an external site to download a resume file instead of it being attached. Companies and recruiting agencies should also independently confirm a person’s identity by contacting their listed references or people at companies. This helps to verify the legitimacy of the job seeker before engaging further with them or opening any of their provided files.
Reference:
